Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authentication [2019/01/18 10:18]
apeterova
devel:documentation:security:dev:authentication [2020/06/15 11:12]
kopro [Actual list of authenticators] since edit
Line 69: Line 69:
 {{:navrh:02.png|}} {{:navrh:02.png|}}
  
-===== Password change & old password ===== 
  
-When users want to change their password in IdM, they will be required to fill their old password (unless the configuration attribute requireOldPassword is set differently, see below). It's possible that their local password in CzechIdM is distinct from their password in end systems. In such situation, users must use the password which satisfies the authentication chain (the same authentication chain that is used during authentication - same rules, same order of processing). If the (old) password is validated successfully, users can change their password.+=== DefaultAccMultipleSystemAuthenticator ===
  
-The configuration attribute **idm.pub.core.identity.passwordChange.requireOldPassword=** determines whether the users are required to fill in the old password when changing their password. The possible values are: +Since 10.4.0. 
-  * true the old password is required, + 
-  * false - the old password is not required.+[[https://github.com/bcvsolutions/CzechIdMng/blob/okopr/2046-authentication-against-multiple-systems/Realization/backend/acc/src/main/java/eu/bcvsolutions/idm/acc/security/authentication/impl/DefaultAccMultipleSystemAuthenticator.java|DefaultAccMultipleSystemAuthenticator]] has same behavior as [[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/acc/src/main/java/eu/bcvsolutions/idm/acc/security/authentication/impl/DefaultAccAuthenticator.java|DefaultAccAuthenticator]] but is allowed more system for authentication than oneAuthenticator is placed between **DefaultAccAuthenticator** and **DefaultCoreAuthenticator**, more priority has original authenticator **DefaultAccAuthenticator**. 
 + 
 +<note tip>All behavior with authentication is same as original **DefaultAccAuthenticator**.</note> 
 + 
 +The end systems are defined with configuration properties. For example
 +<code> 
 +idm.sec.acc.security.auth.order1.systemId=e6a8b1e7-d656-47ae-aa2d-1062d1583c1a 
 +idm.sec.acc.security.auth.order2.systemId=ea86a399-9b26-4f75-9b3a-d3f0049031ef 
 +idm.sec.acc.security.auth.order3.systemId= 
 +idm.sec.acc.security.auth.order4.systemId= 
 +idm.sec.acc.security.auth.order5.systemId=eb24ee1e-da69-4e8a-8b7d-8e41691f09e4 
 +idm.sec.acc.security.auth.order6.systemId= 
 +idm.sec.acc.security.auth.order7.systemId=e6a8b1e7-d656-47ae-aa2d-1062d1583c1a 
 +idm.sec.acc.security.auth.order8.systemId= 
 +idm.sec.acc.security.auth.order9.systemId=71fcccb6-5865-48e6-8fba-3d4d963d9f45 
 +</code> 
 + 
 +Authentication is done from lowest order to highest. Maximum order is defined with the configuration property (default count is 50): 
 +<code> 
 +idm.sec.acc.security.auth.maximumSystemCount=50 
 +</code> 
 + 
 +Configuration property can be null or empty. **These configurations will be skipped**.
  • by kopro